Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <8e7713ec-f187-41f5-ac8c-bec8142d702a@apache.org>
Date: Thu, 9 Apr 2026 20:51:47 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-34500: Apache Tomcat: OCSP checks sometimes soft-fail with
 FFM even when soft-fail is disabled

Severity: moderate

Affected versions:

- Apache Tomcat 11.0.0-M14 through 11.0.20
- Apache Tomcat 10.1.22 through 10.1.53
- Apache Tomcat 9.0.92 through 9.0.116

Description:

CLIENT_CERT authentication does not fail as expected for some scenarios 
when soft fail is disabled and FFM is used in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 
10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, 
which fixes the issue.

Credit:

Haruki Oyama (Waseda University) (finder)

References:

https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-34500

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.